New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
chore(deps): update dependency django to v1.11.29 [security] #3534
Open
renovate-bot
wants to merge
1
commit into
googleapis:master
Choose a base branch
from
renovate-bot:renovate/pypi-django-vulnerability
base: master
Could not load branches
Branch not found: {{ refName }}
Could not load tags
Nothing to show
Are you sure you want to change the base?
Some commits from the old base branch may be removed from the timeline,
and old review comments may become outdated.
Open
chore(deps): update dependency django to v1.11.29 [security] #3534
renovate-bot
wants to merge
1
commit into
googleapis:master
from
renovate-bot:renovate/pypi-django-vulnerability
+1
−1
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
trusted-contributions-gcf
bot
added
the
kokoro:force-run
Add this label to force Kokoro to re-run the tests.
label
Feb 2, 2022
renovate-bot
force-pushed
the
renovate/pypi-django-vulnerability
branch
from
February 3, 2022 00:33
fba5f39
to
bbe3bdd
Compare
renovate-bot
changed the title
chore(deps): update dependency django to v1.11.29 [security]
chore(deps): update dependency django to v2 [security]
Feb 3, 2022
renovate-bot
force-pushed
the
renovate/pypi-django-vulnerability
branch
from
February 3, 2022 02:44
bbe3bdd
to
abd2386
Compare
renovate-bot
changed the title
chore(deps): update dependency django to v2 [security]
chore(deps): update dependency django to v1.11.29 [security]
Feb 3, 2022
renovate-bot
force-pushed
the
renovate/pypi-django-vulnerability
branch
from
February 3, 2022 04:23
abd2386
to
0f16c3c
Compare
renovate-bot
changed the title
chore(deps): update dependency django to v1.11.29 [security]
chore(deps): update dependency django to v2 [security]
Feb 3, 2022
renovate-bot
force-pushed
the
renovate/pypi-django-vulnerability
branch
from
February 3, 2022 08:55
0f16c3c
to
f455e23
Compare
renovate-bot
changed the title
chore(deps): update dependency django to v2 [security]
chore(deps): update dependency django to v1.11.29 [security]
Feb 3, 2022
renovate-bot
force-pushed
the
renovate/pypi-django-vulnerability
branch
from
February 3, 2022 12:31
f455e23
to
bed5af4
Compare
renovate-bot
changed the title
chore(deps): update dependency django to v1.11.29 [security]
chore(deps): update dependency django to v2 [security]
Feb 3, 2022
renovate-bot
force-pushed
the
renovate/pypi-django-vulnerability
branch
from
February 3, 2022 15:12
bed5af4
to
0b1ace6
Compare
renovate-bot
changed the title
chore(deps): update dependency django to v2 [security]
chore(deps): update dependency django to v1.11.29 [security]
Feb 3, 2022
renovate-bot
force-pushed
the
renovate/pypi-django-vulnerability
branch
from
February 4, 2022 04:30
0b1ace6
to
069e21e
Compare
renovate-bot
changed the title
chore(deps): update dependency django to v1.11.29 [security]
chore(deps): update dependency django to v2 [security]
Feb 4, 2022
renovate-bot
force-pushed
the
renovate/pypi-django-vulnerability
branch
from
February 4, 2022 09:38
069e21e
to
65af5ef
Compare
renovate-bot
changed the title
chore(deps): update dependency django to v2 [security]
chore(deps): update dependency django to v1.11.29 [security]
Feb 4, 2022
renovate-bot
force-pushed
the
renovate/pypi-django-vulnerability
branch
from
February 4, 2022 11:21
65af5ef
to
cd13e88
Compare
renovate-bot
changed the title
chore(deps): update dependency django to v1.11.29 [security]
chore(deps): update dependency django to v2 [security]
Feb 4, 2022
renovate-bot
force-pushed
the
renovate/pypi-django-vulnerability
branch
from
February 4, 2022 15:46
cd13e88
to
932f76b
Compare
renovate-bot
changed the title
chore(deps): update dependency django to v2 [security]
chore(deps): update dependency django to v1.11.29 [security]
Feb 4, 2022
renovate-bot
force-pushed
the
renovate/pypi-django-vulnerability
branch
from
February 4, 2022 23:32
932f76b
to
e13c36d
Compare
renovate-bot
changed the title
chore(deps): update dependency django to v1.11.29 [security]
chore(deps): update dependency django to v2 [security]
Feb 4, 2022
renovate-bot
force-pushed
the
renovate/pypi-django-vulnerability
branch
from
February 5, 2022 08:08
e13c36d
to
f36802d
Compare
renovate-bot
changed the title
chore(deps): update dependency django to v2 [security]
chore(deps): update dependency django to v1.11.29 [security]
Feb 5, 2022
renovate-bot
force-pushed
the
renovate/pypi-django-vulnerability
branch
from
February 5, 2022 09:39
f36802d
to
02a6192
Compare
renovate-bot
changed the title
chore(deps): update dependency django to v1.11.29 [security]
chore(deps): update dependency django to v2 [security]
Feb 5, 2022
renovate-bot
force-pushed
the
renovate/pypi-django-vulnerability
branch
from
February 5, 2022 14:59
02a6192
to
73d0a76
Compare
renovate-bot
changed the title
chore(deps): update dependency django to v2 [security]
chore(deps): update dependency django to v1.11.29 [security]
Feb 5, 2022
renovate-bot
force-pushed
the
renovate/pypi-django-vulnerability
branch
from
February 5, 2022 20:51
73d0a76
to
14c448c
Compare
renovate-bot
changed the title
chore(deps): update dependency django to v2 [security]
chore(deps): update dependency django to v1.11.29 [security]
May 10, 2024
renovate-bot
force-pushed
the
renovate/pypi-django-vulnerability
branch
from
May 10, 2024 04:00
427b370
to
7164047
Compare
renovate-bot
changed the title
chore(deps): update dependency django to v1.11.29 [security]
chore(deps): update dependency django to v2 [security]
May 10, 2024
renovate-bot
changed the title
chore(deps): update dependency django to v2 [security]
chore(deps): update dependency django to v1.11.29 [security]
May 10, 2024
renovate-bot
force-pushed
the
renovate/pypi-django-vulnerability
branch
2 times, most recently
from
May 10, 2024 15:48
564f6e5
to
137d51c
Compare
renovate-bot
changed the title
chore(deps): update dependency django to v1.11.29 [security]
chore(deps): update dependency django to v2 [security]
May 10, 2024
renovate-bot
force-pushed
the
renovate/pypi-django-vulnerability
branch
from
May 10, 2024 19:55
137d51c
to
40eb602
Compare
renovate-bot
changed the title
chore(deps): update dependency django to v2 [security]
chore(deps): update dependency django to v1.11.29 [security]
May 10, 2024
renovate-bot
force-pushed
the
renovate/pypi-django-vulnerability
branch
from
May 10, 2024 23:18
40eb602
to
0380a25
Compare
renovate-bot
changed the title
chore(deps): update dependency django to v1.11.29 [security]
chore(deps): update dependency django to v2 [security]
May 10, 2024
renovate-bot
force-pushed
the
renovate/pypi-django-vulnerability
branch
from
May 13, 2024 14:57
0380a25
to
563dd2d
Compare
renovate-bot
changed the title
chore(deps): update dependency django to v2 [security]
chore(deps): update dependency django to v1.11.29 [security]
May 13, 2024
renovate-bot
force-pushed
the
renovate/pypi-django-vulnerability
branch
from
May 13, 2024 18:41
563dd2d
to
9da433a
Compare
renovate-bot
changed the title
chore(deps): update dependency django to v1.11.29 [security]
chore(deps): update dependency django to v2 [security]
May 13, 2024
renovate-bot
force-pushed
the
renovate/pypi-django-vulnerability
branch
from
May 13, 2024 18:57
9da433a
to
0d00ceb
Compare
renovate-bot
changed the title
chore(deps): update dependency django to v2 [security]
chore(deps): update dependency django to v1.11.29 [security]
May 13, 2024
renovate-bot
force-pushed
the
renovate/pypi-django-vulnerability
branch
from
May 14, 2024 09:54
0d00ceb
to
86f761e
Compare
renovate-bot
changed the title
chore(deps): update dependency django to v1.11.29 [security]
chore(deps): update dependency django to v2 [security]
May 14, 2024
renovate-bot
force-pushed
the
renovate/pypi-django-vulnerability
branch
from
May 14, 2024 10:57
86f761e
to
d341261
Compare
renovate-bot
changed the title
chore(deps): update dependency django to v2 [security]
chore(deps): update dependency django to v1.11.29 [security]
May 14, 2024
renovate-bot
changed the title
chore(deps): update dependency django to v1.11.29 [security]
chore(deps): update dependency django to v2 [security]
May 16, 2024
renovate-bot
force-pushed
the
renovate/pypi-django-vulnerability
branch
2 times, most recently
from
May 16, 2024 06:55
f8174e8
to
63907ba
Compare
renovate-bot
changed the title
chore(deps): update dependency django to v2 [security]
chore(deps): update dependency django to v1.11.29 [security]
May 16, 2024
renovate-bot
force-pushed
the
renovate/pypi-django-vulnerability
branch
from
May 18, 2024 00:51
63907ba
to
ec406f8
Compare
renovate-bot
changed the title
chore(deps): update dependency django to v1.11.29 [security]
chore(deps): update dependency django to v2 [security]
May 18, 2024
renovate-bot
force-pushed
the
renovate/pypi-django-vulnerability
branch
from
May 20, 2024 03:57
ec406f8
to
d094b42
Compare
renovate-bot
changed the title
chore(deps): update dependency django to v2 [security]
chore(deps): update dependency django to v1.11.29 [security]
May 20, 2024
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
==1.8.12
->==1.11.29
GitHub Vulnerability Alerts
CVE-2018-7536
An issue was discovered in Django 2.0 before 2.0.3, 1.11 before 1.11.11, and 1.8 before 1.8.19. The
django.utils.html.urlize()
function was extremely slow to evaluate certain inputs due to catastrophic backtracking vulnerabilities in two regular expressions (only one regular expression for Django 1.8.x). Theurlize()
function is used to implement the urlize and urlizetrunc template filters, which were thus vulnerable.CVE-2018-7537
An issue was discovered in Django 2.0 before 2.0.3, 1.11 before 1.11.11, and 1.8 before 1.8.19. If django.utils.text.Truncator's chars() and words() methods were passed the html=True argument, they were extremely slow to evaluate certain inputs due to a catastrophic backtracking vulnerability in a regular expression. The chars() and words() methods are used to implement the truncatechars_html and truncatewords_html template filters, which were thus vulnerable.
CVE-2017-7234
A maliciously crafted URL to a Django (1.10 before 1.10.7, 1.9 before 1.9.13, and 1.8 before 1.8.18) site using the
django.views.static.serve()
view could redirect to any other domain, aka an open redirect vulnerability.CVE-2017-7233
Django 1.10 before 1.10.7, 1.9 before 1.9.13, and 1.8 before 1.8.18 relies on user input in some cases to redirect the user to an "on success" URL. The security check for these redirects (namely
django.utils.http.is_safe_url()
) considered some numeric URLs "safe" when they shouldn't be, aka an open redirect vulnerability. Also, if a developer relies onis_safe_url()
to provide safe redirect targets and puts such a URL into a link, they could suffer from an XSS attack.CVE-2019-3498
In Django 1.11.x before 1.11.18, 2.0.x before 2.0.10, and 2.1.x before 2.1.5, an Improper Neutralization of Special Elements in Output Used by a Downstream Component issue exists in
django.views.defaults.page_not_found()
, leading to content spoofing (in a 404 error page) if a user fails to recognize that a crafted URL has malicious content.CVE-2019-6975
Django 1.11.x before 1.11.19, 2.0.x before 2.0.11, and 2.1.x before 2.1.6 allows Uncontrolled Memory Consumption via a malicious attacker-supplied value to the
django.utils.numberformat.format()
function.CVE-2019-19844
Django before 1.11.27, 2.x before 2.2.9, and 3.x before 3.0.1 allows account takeover. A suitably crafted email address (that is equal to an existing user's email address after case transformation of Unicode characters) would allow an attacker to be sent a password reset token for the matched user account. (One mitigation in the new releases is to send password reset tokens only to the registered user email address.)
CVE-2020-7471
Django 1.11 before 1.11.28, 2.2 before 2.2.10, and 3.0 before 3.0.3 allows SQL Injection if untrusted data is used as a StringAgg delimiter (e.g., in Django applications that offer downloads of data as a series of rows with a user-specified column delimiter). By passing a suitably crafted delimiter to a contrib.postgres.aggregates.StringAgg instance, it was possible to break escaping and inject malicious SQL.
CVE-2021-33203
Django before 2.2.24, 3.x before 3.1.12, and 3.2.x before 3.2.4 has a potential directory traversal via django.contrib.admindocs. Staff members could use the TemplateDetailView view to check the existence of arbitrary files. Additionally, if (and only if) the default admindocs templates have been customized by application developers to also show file contents, then not only the existence but also the file contents would have been exposed. In other words, there is directory traversal outside of the template root directories.
CVE-2016-6186
Cross-site scripting (XSS) vulnerability in the
dismissChangeRelatedObjectPopup
function incontrib/admin/static/admin/js/admin/RelatedObjectLookups.js
in Django before 1.8.14, 1.9.x before 1.9.8, and 1.10.x before 1.10rc1 allows remote attackers to inject arbitrary web script or HTML via vectors involving unsafe usage of Element.innerHTML.CVE-2016-7401
The cookie parsing code in Django before 1.8.15 and 1.9.x before 1.9.10, when used on a site with Google Analytics, allows remote attackers to bypass an intended CSRF protection mechanism by setting arbitrary cookies.
CVE-2016-9014
Django before 1.8.x before 1.8.16, 1.9.x before 1.9.11, and 1.10.x before 1.10.3, when settings.DEBUG is True, allow remote attackers to conduct DNS rebinding attacks by leveraging failure to validate the HTTP Host header against settings.ALLOWED_HOSTS.
CVE-2024-24680
An issue was discovered in Django 3.2 before 3.2.24, 4.2 before 4.2.10, and Django 5.0 before 5.0.2. The intcomma template filter was subject to a potential denial-of-service attack when used with very long strings.
CVE-2016-9013
Django 1.8.x before 1.8.16, 1.9.x before 1.9.11, and 1.10.x before 1.10.3 use a hardcoded password for a temporary database user created when running tests with an Oracle database, which makes it easier for remote attackers to obtain access to the database server by leveraging failure to manually specify a password in the database settings TEST dictionary.
CVE-2021-44420
In Django 2.2 before 2.2.25, 3.1 before 3.1.14, and 3.2 before 3.2.10, HTTP requests for URLs with trailing newlines could bypass upstream access control based on URL paths. This issue has low severity, according to the Django security policy.
Release Notes
django/django (django)
v1.11.29
Compare Source
v1.11.28
Compare Source
v1.11.27
Compare Source
v1.11.26
Compare Source
v1.11.25
Compare Source
v1.11.24
Compare Source
v1.11.23
Compare Source
v1.11.22
Compare Source
v1.11.21
Compare Source
v1.11.20
Compare Source
v1.11.18
Compare Source
v1.11.17
Compare Source
v1.11.16
Compare Source
v1.11.15
Compare Source
v1.11.14
Compare Source
v1.11.13
Compare Source
v1.11.12
Compare Source
v1.11.11
Compare Source
v1.11.10
Compare Source
v1.11.9
Compare Source
v1.11.8
Compare Source
v1.11.7
Compare Source
v1.11.6
Compare Source
v1.11.5
Compare Source
v1.11.4
Compare Source
v1.11.3
Compare Source
v1.11.2
Compare Source
v1.11.1
Compare Source
v1.11
Compare Source
v1.10.8
Compare Source
v1.10.7
Compare Source
v1.10.6
Compare Source
v1.10.5
Compare Source
v1.10.4
Compare Source
v1.10.3
Compare Source
v1.10.2
Compare Source
v1.10.1
Compare Source
v1.10
Compare Source
v1.9.13
Compare Source
v1.9.12
Compare Source
v1.9.11
Compare Source
v1.9.10
Compare Source
v1.9.9
Compare Source
v1.9.8
Compare Source
v1.9.7
Compare Source
v1.9.6
Compare Source
v1.9.5
Compare Source
v1.9.4
Compare Source
v1.9.3
Compare Source
v1.9.2
Compare Source
v1.9.1
Compare Source
v1.9
Compare Source
v1.8.19
Compare Source
v1.8.18
Compare Source
v1.8.17
Compare Source
v1.8.16
Compare Source
v1.8.15
Compare Source
v1.8.14
Compare Source
v1.8.13
Compare Source
Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR has been generated by Mend Renovate. View repository job log here.